Despite this new air of, well, respectability, the conference is a free-for-all–heavy on alcohol, black hats, and off-color talks. DEFCON’s unofficial “survival guide” gives a taste of what to expect: Rule #1 reminds attendees that prostitution is illegal, Rule #2 warns against using the very-likely compromised ATM, and Rule #4 admonishes anyone who would connect to the DEFCON network–using no less than six anal sex jokes. This is not out character for a hacker con; one of my favorite presentations from HITBSecConf this year started with painful language lesson on picking up a prostitute in Malay. Once you got past that (oh, and the “fisting” references, too), there was some great information. Get the picture?

Recently, I trolled someone on Twitter who said wouldn’t attend DEFCON or Black Hat, because he preferred more secure, vetted environments. The comment is all kinds of stupid, because a convention like DEFCON is exactly where people who want to understand attackers should go–namely, anyone responsible for defending networks and hosts. However, there is no doubt that these conferences can be a hostile environment for a lot of professionals–not the least of which are women.

Let it be known that I went to Defcon with a reasonable amount of armor on already. I was reasonably aware of the frat party environment I was stepping into. I have many friends who are involved with helping make Defcon roll smoothly each year, from speakers to goons. And still, nothing could have prepared me for the onslaught of bad behavior I experienced.

Like the man who drunkenly tried to lick my shoulder tattoo. Like the man who grabbed my hips while I was waiting for a drink at the EFF party. Like the man who tried to get me to show him my tits so he could punch a hole in a card that, when filled, would net him a favor from one of the official security staff (I do not have words for how slimy it is that the official security staff were in charge of what was essentially a competition to get women to show their boobs). Or lastly, the man who, without prompting, interrupted my conversation and asked me if I’d like to come back to his room for a “private pillowfight party.” “You know,” he said. “Just a bunch of girls having a pillowfight…. fun!” When I asked him how many men would be standing around in a circle recording this event, he quickly assured me that “no one would be taking video! I swear!” I’m pretty sure this is the point where my lovely partner Morgan asked him if he thought propositions like his had anything to do with contributing to women not feeling welcome at Defcon. This was a very difficult concept for this poor soul to wrap his head around.

The project intrigued me and I have been meaning to write something, but I felt a real urgency to do so when Robert Graham of Errata Security posted a counterpoint of sorts to what he saw as punitive sexual harassment policies entitled “Sexual harassment policies: education please, not threats.”* His bottom line is this:

Education is a better solution to this than threats. Men should be told that just because she hasn’t slapped you doesn’t mean she’s in to you, it just means she is in a social situation she’s had little experience with.

The thing about hostile, threatening policies is that they discourage legitimate speech. People become scared and go too far censoring themselves. It becomes something that can be exploited by the disgruntled to censor things that have little to do with sexual harassment. As a guy, I don’t see the cases of sexual harassment that I know exists (from reliable reports), but what I do see is the frequent exploitation of anti-harassment policies.

Also, let’s talk about the frustrating social expectation of women needing to to be the patient educators… (1/2) [cite]

…vs the nonexistent expectation of men simply being more responsible and sensitive at cons. (2/2) [cite]

Graham responded in kind. The gist is that shaming doesn’t solve the problem long-term while education is a better route. Frankly, I find KC’s to be the more compelling argument. I, too, am unconvinced by the “‘men don’t know better/are unaware!’ excuse.” Graham cites the misogyny among male attorneys, for example; he seems to be saying attorneys are the exception to the rule, but I think there are some uncomfortable commonalities.

For better or worse (mostly worse), I have a lot of experience with attorneys. Today, more than 50% of law students are women, and the general sense I get is that there is this growth in very hostile attitudes among thirty-something (and younger) male attorneys towards women as a perceived threat to men’s position in the workplace. The harassment isn’t some poorly articulated come-on; it is a power play to defend their turf. While I doubt women have reached anywhere near that parity in the hacking community, it is worth asking the question how much of this behavior boils down to bullying and turf-defending.

A more compelling counterpoint came from @maradydd:

If you’d like some context, one of the stories @ErrataRob is telling is mine. [cite]

Here, KC and Graham are not too far apart. The card is an educational tool–one that might not work. Indeed, all education may not work. I sympathize with Graham’s desire to protect freedom of speech; I really do. However, I see little recourse except for the more ‘punitive’ measures such as BRUCON’s anti-harassment policy.

—

* – On Twitter, I initially attributed the article to David Maynor. Both are with Errata, and both tweeted about it. I simply hit “quote tweet” on the wrong one, and the misattribution followed from there. Mah bad!

“If by chance you were to ask me which ornaments I would desire above all others in my house, I would reply, without much pause for reflection, arms and books.”
—Fra Sabba da Castiglione, Knight of St. John